By Jannette Cabardo, Data Team and Product Manager In adherence to the latest eDAA’s specification on providing opt-in preference for users, TRUSTe supports the functionality to opt users out and in seamlessly through our ads preference manager. This opt-in feature provides additional benefits to the ads ecosystem, because users are able to opt back in seamlessly …

by Helen Huang, Sr. Product Manager The digital data transformation continues as ad companies engage users and collect data across multiple devices. Evolution of technology is typically followed with changes in the policy and regulations to address technology changes. Compliance with Digital Advertising Alliance’s November 2015 Cross-Device Guidance, will now be enforced by the Data …

by Jannette Cabardo, Data Team Manager The Federal Communications Commission’s ruling last October stated that Internet Service Providers must get permission from users to gather and share consumer’s private data such as web browsing history, app usage, and geolocation. Before the ruling, broadband providers could track users, unless they requested otherwise. With the speedy rise …

Effectively managing website tracking technologies is fundamental to online channel marketing. In the increasingly complex and data-driven world of marketing and e-commerce, many organizations recognize the importance of how understanding and managing the digital environment are a key centerpiece of the business. TRUSTe Website Monitoring Service is an in-depth web monitoring technology serving Publishers, Advertisers …

Now that GDPR has been finalized, Privacy Shield is in place, EU regulators are turning to review the e-Privacy Directive including how companies are complying with the Cookie Directive (Section 5(3)c under the e-Privacy Directive). The Cookie Sweeps Round 2 conducted by the French Data Protection Authority, CNIL, is reviewing data companies in the ad …

In adherence to the latest eDAA’s specification on providing opt-in preference for users, TRUSTe supports the functionality to opt users out and in seamlessly through our ads preference manager. This opt-in feature provides additional benefits to the ads ecosystem, because users are able to opt back in seamlessly after opting out, instead of having to clear cookies via browser settings.

How It Works:

When users opt-out or opt-in from our preference manager, TRUSTe sends opt-out or opt–in requests to the companies selected. To opt the user out, the company places a cookie in the browser to indicate users’ wish to opt-out of tracking. To opt the user in, the company deletes or updates the opt-out cookie in the browser to indicate users’ wish to opt into personalized advertising when serving ads on pages that users’ visit.

Users can opt out and in from online behavioral targeting through a couple simple clicks in our preference manager on desktop and/or mobile environments.

Fig. 1. Preference Manager with Opt-In Feature

To learn more, please contact TRUSTe with any questions, and learn how you can integrate this new feature into your solution.

The digital data transformation continues as ad companies engage users and collect data across multiple devices. Evolution of technology is typically followed with changes in the policy and regulations to address technology changes. Compliance with Digital Advertising Alliance’s November 2015 Cross-Device Guidance, will now be enforced by the Data & Marketing Association and Council of Better Business Bureau starting February 1, 2017.

DAA, DMA, and CBBB, in addition to the Federal Trade Commission, have taken active roles to examine cross-device use cases with industry stakeholders in order to determine a “common sense guidance” for companies who engage users across many devices in the context of mobile and desktop.

Highlighted in the Cross-Device Compliance Webinar hosted by the DMA, “companies need to clearly explain the scope of the opt-out stating exactly what users are opting-out and extent of devices it applies to.”

The guidance includes additional notice requirements to inform consumers that data is collected among various devices and inferred connections are associating multiple devices to a single user.

Preferences (e.g., opt-outs) apply to the browser or device from which choice is made by the user. In short, “data can’t go in and out from a certain environment or device once the opt-out has been made for that device or environment.”

The cross-device guidance is independently enforced by the DMA and CBBB. Since 2015-2016, DMA has handled 540/12,000 inquiries and 6/37 cases that are IBA-specific.

TRUSTe offers compliance solutions that help companies implement the proper cross-device notice and choice requirements for both First Parties and Third Parties. TRUSTe has been serving billions of AdChoices icons on a daily basis since 2011, and is the only partner that can also help assess your disclosures against TRUSTe’s Trusted Data Certification Standards that align with the Cross-Device Guidance requirements and other industry self-regulatory frameworks. Click here to learn more about TRUSTe’s various certifications and assessments. Contact us to discuss how TRUSTe can help you come into compliance with the DAA Guidelines before February 1, 2017.

The Federal Communications Commission’s ruling last October stated that Internet Service Providers must get permission from users to gather and share consumer’s private data such as web browsing history, app usage, and geolocation. Before the ruling, broadband providers could track users, unless they requested otherwise. With the speedy rise of smart devices that use broadband services, like refrigerators or central automation devices, ISP’s would be able to gather information on e.g. what is inside the refrigerator or scan other automation devices. The increasing amount of personal data being collected can be used to target customers with ads relevant to their online behavior.

After the ruling, there are additional requirements that these companies must meet. The new rules require broadband providers to obtain permission from customers to gather and share data based on their online preferences and information such as location, financial information and app usage. An explicit consent must be obtained from the subscribers before broadband companies can use and share their data with third party vendors.

Some global telcos have made large acquisitions to monetize their advertising inventory. With F.C.C.’s ruling, this plan can add additional requirements to their initiatives. For ISP’s, an implementation of a consent mechanism can be a solution to ensure that only necessary information are collected. Proper disclosure in the privacy policy will also notify users which information, on a very minimum, will be collected to use the service.

If you are an ISP and would like to sit down and discuss how TRUSTe can help, please contact us here.

Effectively managing website tracking technologies is fundamental to online channel marketing. In the increasingly complex and data-driven world of marketing and e-commerce, many organizations recognize the importance of how understanding and managing the digital environment are a key centerpiece of the business.

TRUSTe Website Monitoring Service is an in-depth web monitoring technology serving Publishers, Advertisers and Brands. It can identify all tracking activity, and clients use our Website Monitoring tracking reports to properly mitigate compliance risks and prevent revenue leakage. In addition, TRUSTe Website Monitoring collects valuable data that shows how trackers affect Web Performance. As companies add more 3rd party code for advertising, social media, or analytics purposes onto digital properties, it becomes more challenging to manage across departmental teams.

Every new tracker added to a site can introduce additional latency and degrade the customer experience. It is the end user visiting the website who bears the brunt of this overhead when they load pages containing third-party code. Research has shown that as little as 250 milliseconds of latency can negatively impact the user experience. This can result in less time spent on your site and ultimately a loss in revenue (Optimizely Blog). It’s critical to identify the unique trackers that are negatively impacting page load time and take measures to address it. .

TRUSTe can first disclose all the tracking activity discovered on the digital properties via our in-house robust, proprietary crawler. The trackers are provided to our clients with additional important information to optimize page performance, such as reporting on how long the tracker took to load, where it was found, and how it got onto the page.

TRUSTe encourages our clients to monitor their websites not only to help mitigate privacy risks but also to protect your revenue. Contact us today if you’d like to learn more about who is tracking users on your site and how they may be impacting performance.

Now that GDPR has been finalized, Privacy Shield is in place, EU regulators are turning to review the e-Privacy Directive including how companies are complying with the Cookie Directive (Section 5(3)c under the e-Privacy Directive). The Cookie Sweeps Round 2 conducted by the French Data Protection Authority, CNIL, is reviewing data companies in the ad technology, social media, and analytics industries. In about 18 months, May 2018, the EU General Data Protection Regulation [GDPR] will be in effect and require companies to have auditable documentation of data processing activities in place. Ad companies who are the biggest and most complex data aggregators, users, and processors need to figure out a scalable methodology to come into compliance.

Data is collected and shared among various players in the ads ecosystem. As tracking technologies evolve and get more sophisticated, ad companies need to understand what data is collected; where it is stored; who it is shared with; and how long it is retained. It’s key that ad companies have proper data inventory and mapping processes, and a technology solution to support a scalable privacy and data governance framework to meet upcoming regulatory obligations.

As TRUSTe’s Assessment Manager continues to get broader adoption by privacy and compliance teams we have seen that not all companies review assessments in the same way. There is no such thing as one size fits all when it comes to processes within the privacy teams.

For this reason TRUSTe Assessment Manager has evolved to support different approval workflows. Our customers choose the one that most closely follows their process and are able to customize workflow based on the assessment type.

I will describe each of the 3 main approval workflow options below.

Option 1: Simple Approval

This option allows the privacy reviewer(s) to approve the assessment at any time after all the questions have been answered. While the reviewer will be able to see and review all the issues that have been flagged on the assessment, she will be able to approve the assessment at any time. There is no system enforcement that the issues must be formally resolved prior to approval.

Option 2: Issue resolution required prior to Approval

This workflow option requires all issues that have been flagged on the assessment to be resolved prior to approval. This is the most commonly used workflow. It requires the reviewer to formally resolve every issue and “accept” the assessment before she can perform the final approval.

Option 3: Ability to re-open completed assessments

This option is an extension of option 2, and provides additional functionality for the privacy reviewer to reassign sections of the assessment back to users. E.g. if it is becomes obvious that Tony Berman is not the subject matter expert on a particular topic, the reviewer can assign those sections to the person who is – even after the assessment had been submitted by the original respondent.

As an existing TRUSTe Assessment manager customer you are already managing many different Privacy Assessments through the platform.

TRUSTe Assessment Manager is predominantly used by organizations to assess their products, systems, businesses, vendors and assets against privacy standards, regulations and policies in order to identify and mitigate privacy risks. The latest Assessment Manager release further improves the assessment process with enhanced communication, follow-up question flow logic, and review experience. In addition, the new advanced reporting and tagging features allow you to create any number of custom fields, for example, countries or divisions, tailored to match your organization’s business needs, as well as to tie assessments to specific organizational entities within your company and to use the new advanced project search for very complex search criteria.

The diagram below indicates how the newly added features fit into the overall Assessment Manager workflow.

Click on the image to expand

Read on for a more detailed description of these new features.

1. Program Reporting Using Advanced Search

The new advanced search feature allows you to perform very complex and granular project searches based on multiple criteria. Click on ”Advanced Search” on the “Projects” page, to add as many search parameters as you need.

Click on the image to expand

Example Use Case: Program Reporting

Say your privacy team has run 60+ Privacy Shield assessments across your organization to understand EU-US data transfers (as some of our customers have). As a CPO you need to be able to quickly slice and dice the information you need. Two main features in the Assessment Manager make this now easier than ever. You can now (1) tie assessments back to specific organizational entities within your enterprise, and (2) use the new advanced search feature to drill down into specific assessment criteria.

For example, if you need to identify all assessments for the Human Resources Department where Sensitive PI is transferred from the EU to the US, you can run and save that query for future use.

2. Template Customization Options

a. “Prologue” and “Epilogue”With “Prologue” you can provide your respondents with instructions they may need in order to complete the assessment.

Click on the image to expand

With “Epilogue” you can provide your respondents with additional information at the end of the assessment and have them attest to the accuracy of their answers.

Click on the image to expand

b. Additional answer options

Two additional answer options are now available:

“All of the above” – allows users to indicate that all options are applicable without the need to select them individually. It can be particularly useful for questions with many answer choices.

“None of the above” – allows users to indicate that none of the options apply.

Compliance expressions can refer to these new answer options directly.

c. Advanced follow-up question flow logic

With the addition of cross-section follow-up question flow logic, users now have the ability to create follow up questions based on the answers to the questions from the previous sections.

3. Real-time collaboration

It is now possible to send a comment with a question to any user and non-user with an e-mail address. This is available for:

The comments section in the assessment survey

Comments on tasks

Comments in the assessment report

Comments in the project approvals.

The person will receive an email notification with your comment and will be able to reply to that email with their response. The response will be added as an additional comment for ease of review.

To send a comment to a particular person, put this person’s email address at the beginning of your comment enclosed into “[~ ]”, for example, [~tberman@truste.com]. Thus, your comment might be: ”[~tberman@truste.com] Tony, have you updated the privacy statement?”

Click on the image to expand

4. Customized Organizational Group Tags

You can add any number of custom fields to your projects tailored to your organizational needs. The list of the available values for each of those fields can be configured separately through “Tag Groups” in the Admin area of your account. For example, you may create a Tag Group called “Brand” with different brand values. If you then associate this new Tag Group with a “Project” entity, your Projects will have an additional “Brand” field, where you will be able to select one or more of the brands from the drop down list during project creation.

Click on the image to expand

5. Additional Assessment Participants

You now have the ability to add additional participants to the project. Project Participants are able to access the project report , to track the progress of the assessment. Typically they are stakeholders who have an interest in the assessment outcome.

Click on the image to expand

For more information on any of these new features please refer to the TRUSTE Assessment Manager user guide available from your account.

GDPR is bringing a long-awaited standard regulatory approach to user data privacy and control in the EU. Global companies are paying close attention since the GDPR applies to any company collecting data on residents in the EU regardless of where the company is located. With the current initiative of the e-Privacy Directive Working Group, the privacy industry is analyzing how these heightened requirements will play out and complement the existing user data privacy and control regulations which broaden scope and address data collection points outside of digital tracking technologies.

GDPR codifies an increased level of protection and control for the user by expanding the consumers’ rights:

Consumers may access their data (Article 15[1]).

Consumers may request information on where and when their data is processed (Article 15).

Consumers may request a digital copy of their data and transfer that data to another data controller in a relatively seamless manner (Article 18[2]).

Consumers may request erasure of their data and receive confirmation of the erasure (Article 16[3] & 17[4]).

In addition, the data subjects’ consent must be freely-given, specific and informed…either by a statement or by a clear affirmative action, signifying agreement to processing their personal data (Article 7[5]).

“Personal data” is defined as “any information relating to an identified or identifiable natural person. Under GDPR, “personal data” profiling is further expanded for example, to biometric data and other unique persistent identifiers that were ambiguous before such as IDFA and GAID. (Article 4[6]).

Although the deadline of May 28th, 2018 feels far away, the schedule to come into compliance with the new GDPR consent requirements is tight. Reference guided timeline below.

Scope Definition: A company must first determine scope of the internal consent initiative in order to make strategic resource calculations.

In-House Build or Vendor Selection: A company then makes a business decision on whether to build the consent solution in-house or select a consent vendor. Selecting the right consent vendor could take some time depending on internal organization procurement procedures.

Scope Definition continues: The company kicks off the project by identifying data collection points and analyze where the consent integrations have to be completed. TRUSTe has a Data Discovery system with PII/SPII detection technology for digital properties to help companies automate this process.

Project Implementation: Once scope and design deliverables are approved, the engineering team needs to bake the consent integration into internal sprint release cycles.

TRUSTe is evaluating the GDPR consent requirements in order to evolve our existing consent solutions and help companies achieve compliance by the May 28th, 2018 deadline. Working with TRUSTe provides all our resources and guidance within a hand’s reach:

A software technology that helps companies come into compliance with the notice, consent, and audit requirements of GDPR.

A software technology that works on desktop and mobile devices. Not only is TRUSTe’s consent notice mobile-optimized, TRUSTe’s solution is tracking technology agnostic and can save consent with ID’s and/or emails.

A dedicated Technical Account Management team to facilitate implementation and provide post support maintenance.

A customer-facing portal to manage user consent choices at any point in the data collection and sharing process.

A client-facing portal to analyze consent metrics and maintain a database of informed consent for regulatory audits. The data can be exported and manipulated for custom reporting metrics.

Contact TRUSTe to learn more and participate in our GDPR Consent Program.

Assessment Manager allows organizations to run more assessments across their organization than ever before. The challenge you now face as a privacy professional is knowing what assessment information you have, and and be able to query it for your internal and external reporting needs. For example, you may suddenly have a need to identify all assessments touching China that collect health information. How do you get to that information?

With the latest release of Assessment Manager, you now have the ability to query your entire assessment database. This is achieved by leveraging a combination of one or more of the following features: filters; labels and search strings. For the first time, no assessment information is beyond your reach.

Using FiltersProjects contain metadata e.g. organization divisions, business units, countries etc.Assessments can be filtered by one or more of these fields. Assessments may also be labelled (either automatically based on question answers) or manually by a user. These labels can be added to a filter.

For example if you wanted to filter all your assessments for only those in China for your business Administration Division where credit card information is being collected you can filter by those parameters.

Using Search

Users can use the advanced search query to build out queries to meet their criteria. Search allows you to query your assessments for any assessment content. It is possible to search for particular question and answer combinations. All metadata and questions and answers are searchable and the search interface allows users to build out as many search parameters as needed.

Searches can be saved and re-used at any time simply by clicking on the saved search.

In addition, users are able to use to write and run lucene searches from the search box. E.g., to run a search on all assessments using third party vendors. this search a user would search as follows :

join% question:”vendor” AND answer:”yes”

If you also wanted to know which vendors have not agreed to your model contractual clauses you could add that to query too by adding:

If you wanted to know this for a particular country or division specfifically then you can add the appropriate filter. To your search.

Finally you can save your query in your account to run at any time

Having this level of information available at one’s fingertips addresses the challenge currently faced by most privacy professionals – that they cannot easily access all the information they have collected through their assessment process, for internal and external reporting purposes.

TRUSTe Ads Compliance Manager has long been compatible with major ad serving systems in the industry. To make the deployment experience more seamless for our clients, we’ve continued to push for deeper integrations with our valued partners.

If any campaigns are trafficked in the Atlas platform, TRUSTe Ads Compliance customers simply enter three parameters: pid, aid, and cid parameter as shown below to activate the back-end integration TRUSTe has with Atlas. This template allows customers to pull in the TRUSTe tag and append the OBA icon onto campaign creatives in an easy way.

TRUSTe customers can enter macros in the parameters. For example, an ad operations manager can enter campaign macros in the cid param in order to receive granular reporting by campaign. This feature helps our clients verify that all campaigns have the OBA icon appended properly.

If you are an ad server and interested in a deeper integration with TRUSTe, please email hhuange@truste.com. Thank you.